Tom Lane wrote:
Robert Treat <[EMAIL PROTECTED]> writes:
Did you mean s/trust/ident/g, otherwise I don't think I understand the above...

Both trust and ident local auth are sources of risk for this, although
ident is particularly nasty since the DBA probably thinks he's being

For that matter, I'm not sure that *any* auth method except password
offers much security against the problem; don't LDAP and Kerberos
likewise rely mostly on process-level identity?  And possibly PAM
depending on which PAM plugin you're using?

OK, so following that line of thought, how about:

    As a security precaution, dblink revokes access from PUBLIC role
    usage for the dblink_connect functions. It is not safe to allow
    ordinary users to execute dblink from a database in a PostgreSQL
    installation that allows account access using any authentication
    method which does not require a password. In that case, ordinary
    users could gain access to other accounts via dblink as if they
    had the privileges of the database superuser.

    If the allowed authentication methods require a password, this is no
    longer an issue.

I'm not sure whether this is something to back-patch, though, since
a back-patch will accomplish zero for existing installations.

OK. But it might still be worth doing, along with something in the release notes.


---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Reply via email to